Skip to content
Snippets Groups Projects
Commit 207e3074 authored by Benjamin Hättasch's avatar Benjamin Hättasch
Browse files

Introduce a Content Security Policy (using django-csp as new dependency) 

Add django-csp to dependencies
Load middleware
Add config that matches current usage but with most possible restriction
parent 1e7ca6bf
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
AKPlanning/settings.py
+ 10
0
View file @ 207e3074
......@@ -63,6 +63,7 @@ MIDDLEWARE = [
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'simple_history.middleware.HistoryRequestMiddleware',
]
......@@ -194,4 +195,13 @@ DASHBOARD_RECENT_MAX = 25
SIMPLE_BACKEND_REDIRECT_URL = "/user/"
LOGIN_REDIRECT_URL = SIMPLE_BACKEND_REDIRECT_URL
# Content Security Policy
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com")
CSP_IMG_SRC = ("*", "data:")
CSP_MEDIA_SRC = ("*", )
CSP_FRAME_SRC = ("'self'", )
CSP_FONT_SRC = ("'self'", "data:", "fonts.gstatic.com")
include(optional("settings/*.py"))
requirements.txt
+ 1
0
View file @ 207e3074
......@@ -8,5 +8,6 @@ django-simple-history==3.0.0
django-registration-redux==2.9
django-debug-toolbar==3.2.1
django-bootstrap-datepicker-plus==3.0.5
django-csp==3.7
mysqlclient==2.0.3 # for production deployment
pytz==2021.1
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment